The PCI Council Creates Associate QSA Program To Ease Cybersecurity Talent Shortage

The PCI Security Standards Council on Thursday unveiled its Associate Qualified Security Assessor program aimed at reducing a shortage of data-security professionals in the payments industry.

The Wakefield, Mass.-based PCI Council certifies QSA companies to perform assessments of a firm’s compliance with the Payment Card Industry data-security standard, the main set of security rules with which all merchants, processors, or other entities that handle general-purpose payment card transactions must comply. The new associate program will provide QSA companies with a path to bring in more cybersecurity professionals under the guidance of experienced mentors, the Council said.

“An overall shortage of cybersecurity talent is making it difficult for QSA companies to find suitable new assessors,” PCI Council chief operating officer Mauro Lance said in a news release. “As a result, assessors are increasingly expensive to hire and retain, driving assessment costs up for merchants that rely on their services. The Associate QSA program provides a professional track for new entrants to join the industry and gain experience to qualify as a QSA, easing the resource constraints for QSA companies, and ensuring high-quality QSA services are available for merchants and service providers into the future.”

In a blog post, the PCI Council said the associate certification is designed for employees of QSA companies who “do not yet have enough experience to be a QSA but who are interested in achieving QSA certification in the future.” Associate QSAs can assist in conducting PCI DSS assessments under the oversight of a QSA mentor, someone with at least three years’ of experience, but they are not qualified to confirm PCI DSS compliance.

Prerequisites for associate certification include employment at an eligible QSA company and a college degree in an information-technology or security-related field, or two years’ experience in IT or security. Applicants must complete an online PCI fundamentals course, attend a class, and pass an exam. Upon certification, they will be listed on the PCI Council Web site.

The Rolling Meadows, Ill.-based ISACA, a non-profit formerly known as the Information Systems Audit and Control Association, says there will be a global shortage of 2 million cybersecurity professionals by 2019. And 84% of organizations queried in one 2015 survey said only half or fewer of applicants for open security jobs were qualified, according to the ISACA.

“We continue to see a marked shortage of qualified cybersecurity talent in all major industries,” Michael Aminzade, vice president of global compliance and risk services at Chicago-based Trustwave, one of the nation’s biggest providers of data-security services, tells Digital Transactions News by email. “One of the best options to address the growing wave of cybercrime is to level the playing field through programs that foster elite security professionals who understand how hackers operate, and can use that knowledge to stop attacks and limit damage when a breach occurs.”